Biz Email Fraud Could Hit $1 Billion

Wire fraud perpetrated via business email compromises has quickly become a top concern for banking institutions. David Pollino, bank fraud prevention officer at Bank of the West, now predicts wire fraud losses in the U.S. linked to such "masquerading" schemes could exceed $1 billion this year.

In fact, the losses from these emerging schemes could be higher than any wire and ACH losses linked to account takeovers, he says.

"Traditionally, whether it was phishing or malware, you saw the criminals getting the username and password and then executing the transaction or takeover of the victim's computer to wage the attack," Pollino says. "With these new attacks, we see the actual compromise of the business. The victims are fooled into the legitimacy of the wire transfer."

A Socially Engineered Scheme

Masquerading schemes do not involve malware or an account takeover. Instead, attackers use socially engineered schemes that are designed to fool a business's accounting or administrative staff into scheduling an urgent wire transfer they believe has been requested by the CEO or other corporate executive, Pollino explains.

These attacks, waged against a banking institution's commercial customers, may involve a spear-phishing attack to take over a corporate executive's legitimate email account, or the creation of a similar domain so that fraudulent emails sent appear, at a glance, to be legitimate, he says.

"In a masquerading attack, hackers impersonate someone you or your business knows, such as the CEO or CFO or a vendor the company does business with," Pollino writes in a blog about this emerging scheme. "The hackers phone or email someone in the company - for example, the controller - requesting a wire transfer. The controller, believing the email or phone call is legitimate, then contacts the bank to request the wire transfer."

While most institutions require out-of-band authentication, such as callbacks, to confirm wire transfers, "the controller or someone else with financial authority will insist the wire transfer request is legitimate and will verbally authorize the bank to proceed," Pollino says. "Once the transfer goes through, it is very difficult to recoup the stolen money."

And it's not just a U.S. problem. "This is a global fraud trend," he adds.

"While many financial institutions said that their transactional analytics catch many of these on the back-end, they said many of the attempts still slip through because the criminals are purposely structuring the dollar amounts to fall below the radar - $40,000 here, $70,000 there. So most of the FIs I spoke with said that they are seeing millions of dollars in losses hit their business customers," Conroy says. "This is an escalating problem."

Most businesses have no mechanisms in place to flag fraudulent emails sent to employees that claim to be from an executive within the company or a bank, Peterson claims.

He also notes that there is nothing fancy about the latest business email compromise attacks. "BEC has no attachment, no URL; just a plain-text email request to initiate a wire," Peterson says. "Sandboxing, Web security and anti-spam is useless. I have yet to see a bank [or business] with an approach that will be effective."

Pollino says, however, that these attacks are well designed to psychologically confuse the email recipient.

"When you think about the core of this attack, it is a social engineering attack," Pollino says. "You'll see that they are highly sophisticated from a social engineering perspective. The emails are very convincing."

This is why businesses need to have tools in place to ensure they can review and authenticate these transactions before they submit the wire transfer request to their bank or credit union, he adds. What's more, banking institutions need to have additional measures in place, such as a multi-person approval process, to ensure wire-transfer requests are legitimate before they are approved, he adds.

"Financial institutions should be educating their customers, and they should do callbacks and modify their [callback] scripts to ensure that they are pointing out the current fraud trends, such as red flags that go up when an urgent or quick transaction is requested," Pollino says.

A Risk That Can be Controlled

Bill Nelson, president and CEO of FS-ISAC, says banking institutions that implement additional transaction-verification strategies can reduce their business customers' fraud risks. "Banks are helping their business customers by monitoring activity and delaying wires in order to give business customers enough time to confirm the legitimacy of the wire instructions before they are released," he says.

But Nelson portrays fraud related to business email compromises as "a very controllable risk." He notes: "Companies' treasury management and accounts payable staff need to become more aware of this threat and institute controls to prevent bogus payments from being made. ... The FBI has done a good job of creating initial awareness about the schemes being employed and how to detect and prevent losses. There will be more educational material coming out in the next few weeks and months from law enforcement, FS-ISAC and others."

About the Author

A veteran journalist with more than 20 years' experience, Kitten has covered the financial sector for the last 13 years. Before joining Information Security Media Group in 2010, where she now serves as director of global events content and executive editor of BankInfoSecurity and CUInfoSecurity, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.eu, you agree to our use of cookies.